-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark and Jürgen,

On 6/26/20 06:23, Mark Thomas wrote:
> On 26/06/2020 08:21, Jürgen Weber wrote:
>> Hi,
>>
>> when you run tomcat with jsvc and have jsvc drop privileges to a
>> different user, stdout and stderr log files are still created
>> with root as owner. Can you make jsvc create them as the -user ?
>
> I'm no C expert but my reading of
> https://github.com/apache/commons-daemon/blob/master/src/native/unix/n
ative/jsvc-unix.c#L1039
>
>
is no.

To be fair, jsvc *could* (be made to) do this, but that is not what
the current code looks like. Since the euig of the process when the
files are created is root (or elevated in some way), the ownership and
permissions of the file should be able to be set at that time before
privileges are dropped.

If these lines were to be added after 1071 (for stdout):

  if(chown(outfile, uid, gid)) {
    perror("chown");
    exit(1);
  }

Than the file could be owned by the unprivileged user/group. The uid
and gid are not currently available in the set_output function.

Hmm. If doreopen is true, then when trying to reopen the log files
(after dropping privileges), I think we'll get ENOACCESS. I don't use
jsvc so I haven't played around with it at all. I might be completely
wrong :)

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl72U0oACgkQHPApP6U8
pFhyPg//TXOriocgBl0cQW9a7TV7lW9K4FF3D/IIhvxcaed4H/Ugb8UYtJ7uKfLh
6xqko+pSkirUlfTBErSJ/Rnc9Mk2m43gL0onPOKOP1tKFq5VZG+Bu5IcHRKbVBcA
+pE2R7owUM3m8dnqeyvnqbAE2GH8AkxVj+A2ye1V+3R7b9iQd9C814rvucFN2p+s
UaQdlSXMPs5xqTbNQO1tHp0Tz91zyarc/MfViqBuAHfYuYCBOZevSwvlaLJ5I30Q
ef7htZM8eEUknGTbndQj/Rt/63xYcclKWT7cqBtRcMVqTiZfF90Q7ApBET7SuqjQ
nupUW9TdtocE7dLOIX48MH1VcC3xtVOYQXrCfDezV2Sk/INxr6Mubb4W8jdejGNI
Anc48N3FbJ58zzdYHonM976dfG2vFlolmITntb3k1YG6YrtL/pL9XEyXuFZuPaAm
Os4sB+7nhTw0ckVL3ZASvLSFg4JQmMObOmXdxxLk3VlUS1ZJgmPxb6HEh8SEXxgd
UeRw6C0ptkQfFBTqHLCT3ZFJnJGeBYlhLd6/K40o6OjDCJsce2W72xpNsiseO27L
fE/KI80/Jy+rtZNcFqJjWeVxmGdSvJuCWDEqwzvHeirexK/GDyaNaG7tNeCL93Nj
S6uG3ML1XKJjb0aNPWtR45DXkr1HU52qlPW4XqczdSNHWvRRy44=
=iOl+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to